The Result was 21 Viruses . I usually scanned these partitions many times with clamwin and AVG 7.5 Free, both didn't identified those files as viruses. Today Clamwin scan resulted in 21 viruses that i think most of them/all of them r "False positive" Look at the Scan result below:

Note:
- Microsoft Office 2007 is totally legitimate and the files are installed from MS Office DVD.
- MS Visual Studio 2005 is downloaded from the internet.
- Even bettergmail2 (firefox extension) downloaded from the official mozilla addons site is identified as a suspect .

thanks for alerting. It is a false positive, same result on my machine.
We will work with clamav team to get them removed asap.

yma981

Joined: 06 Jun 2008

Posts: 6

Posted: Fri Jun 06, 2008 1:38 pm

Excuse me for asking, as expected these files are ok. How can i restore them to their previous state since for instance excel isn't working anymore.

GuitarBob

Joined: 09 Jul 2006

Posts: 4365

Location: USA

Posted: Fri Jun 06, 2008 1:44 pm

Clam has done a mass delete of that version of Virut from its signatures. To remove/replace from quarantine, keep that scan report handy. ClamWin has renamed them in quarantine. You will have to rename each quarantined file to its original name and then put it back in its original directory location referenced in the scan report.

Regards,

scarlett_156

Joined: 06 Jun 2008

Posts: 24

Location: eastern rural Colorado (USA)

Posted: Fri Jun 06, 2008 7:10 pm

This is the reason I joined the forum just today too. All of a sudden I get all of these notices that these files--which have been on the computer for awhile and never been identified as viruses--have something wrong with them. There were quite a few. I'm glad I checked this before deleting these files.

GuitarBob

Joined: 09 Jul 2006

Posts: 4365

Location: USA

Posted: Fri Jun 06, 2008 8:13 pm

You probably should not delete a file based on an infection without verifying it with several other antivirus programs. You can upload suspect files (one at a time) to the Jotti scanning service at http://virusscan.jotti.org/ on the Web for a free scan with about 20 antiviruses. If several other AVs besides Clam spot an infection, it's probably for real.

Really good malware generally is silent, so if the same infection is spotted in several files on your hard drive during the same scan, there's a good chance it's a false positive. You should always upload files with false positives to the Clam submission page at http://cgi.clamav.net/sendvirus.cgi on the Web--tell them it is false and give the name of the false detection. You will be helping to make Clam/ClamWin a better antivirus program.

Regards,

scarlett_156

Joined: 06 Jun 2008

Posts: 24

Location: eastern rural Colorado (USA)

Posted: Fri Jun 06, 2008 8:23 pm

Thanks, I was gonna do that. I was researching the individual names of the viruses that were found on this morning's scan one by one. I will get a scan from bitdefender in a little while and see what that says, AND I will save that scan report so that I can upload it if it is showing false positives.

Need help restoring false positive quarantined files

jaeasan

Joined: 10 Jun 2008

Posts: 1

Location: Minnesota

Posted: Thu Jun 19, 2008 4:31 am

My MS Excel is disabled and MS Word has problems following the scan.

I was able to replace the following 2 excel files, which permitted opening and reading spreadsheets, but not writing in them.
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE: W32.Virut.Gen.D-163 FOUND
C:\Program Files\Microsoft Office\Office12\excelcnv.exe: W32.Virut.Gen.D-163 FOUND

I am unable to find the location for the other files as documented in the scan report below. Please help, as I have already tried to reinstall Office, and the reinstall also does not work, and redoing the entire system is costly.
Thanks

Seems like those viruses you found were false positives from last week, and the signatures were either corrected or dropped from the signature database a day or so after they were first noticed. Make sure your ClamWin signatures are up to date. If these falsies still show up on your scans, upload the files involved (one at a time) to Clam at http://cgi.clamav.net/sendvirus.cgi on the Web. Be sure to check the false positive block on the submission form, tell them the exact name of the virus that showed up as false, and explain things in the Note block. If you have more than two submissions/files to upload, contact Luca Gibelli first at the link shown near the start of the page.

This is a good reason not to automatically quarantine any virus detected by ClamWin. If there is a false positive on an important file, you could lose it when it goes in quarantine. Set ClamWin's detection preferences to notify instead. I learned this after a false positive showed up on Winlogon and I spent a couple of days restoring my system.

I've submitted the files as a false positive online. I'm not sure what else I can do.

GuitarBob

Joined: 09 Jul 2006

Posts: 4365

Location: USA

Posted: Wed Feb 18, 2009 4:14 am

Submitting the false positives to Clam online is about all you can do for now. With that many FPs, I think they will address it pretty quickly. Continue to do scans of those directories WITH CLAMWIN PREFERENCES SET TO REPORT ONLY. When you no longer detect them, Clam has adjusted their signatures. Give them about three days, and if you continue to get infection notices, resubmit those files. Clam's sigmakers usually handle their own false positives, so if someone is away for a while, it might take a little longer.

If you don't want to worry/work at it, you can set ClamWin preferences to exclude those files from directory scans, but you will not know when/if Clam adjusts the sigs.

Regards,

daduck

Joined: 16 Apr 2009

Posts: 1

Location: Castro Valley

Posted: Thu Apr 16, 2009 11:20 pm

So what does all this mean? Has Clamscan been up dated to eliminate these false positives?
I ran a scan today and found very much the same errors. Are they False positives ???

C:\Program Files\Microsoft Office\Office12\EXCEL.EXE: W32.Virut.Gen.D-163 FOUND
C:\Program Files\Microsoft Office\Office12\excelcnv.exe: W32.Virut.Gen.D-163 FOUND
C:\Program Files\MSECache\O2007Cnv\1033\O12Conv.cab: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\XL12CNV.EXE: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6215\XL12CNV.EXE: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\EXCEL.EXE: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6215\EXCEL.EXE: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\Installer\$PatchCache$\Managed\000021091A0000000000000000F01FEC\12.0.4518\VBE6.DLL: W32.Virut.Gen.D-159 FOUND
C:\WINDOWS\Installer\133c30.msp: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\Installer\148246f.msp: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\Installer\338bb14.msp: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\Installer\585b8.msp: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\Installer\66f0304.msp: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\Installer\7f8d36.msp: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\Installer\baad7b.msp: W32.Virut.Gen.D-163 FOUND

GuitarBob

Joined: 09 Jul 2006

Posts: 4365

Location: USA

Posted: Fri Apr 17, 2009 3:09 am

It looks like false positives. There are lots of files found infected, but there are only two viruses involved. This is usually a sign of a false positive. Clam will not change a signature until you/someone uploads a file containing a false positive detection and tell them it is a false positive. The Clam upload site is at http://www.clamav.net/sendvirus/ on the web. You will be doing yourself/all ClamWin users a favor if you report the false positives and upload one of the files where each virus is detected. Put each file/virus in a separate report.

They appear to be having problems with some generic (GEN) detections with version 0.95.1.

Regards,

hi, im new to this.

devillish tease

Joined: 28 Apr 2009

Posts: 2

Posted: Tue Apr 28, 2009 12:32 pm

I just done a scan and it said i had 5 virus, so i googled one of them and came across this page, im not sure if ive copied the right part of the scan, but are these virus or just glitchs with clamwin?
Thank you in advance for any help anyone can give me.

Clam knows about the false positive on Excel-related files for Virut.Gen.D-163 and are supposed to be working on it. Whenever you get several files with the same "infection," that's often a sign of a false positive. Viruses that are designed to make their creators money by evil means generally try to be a little more stealthy than infecting every file around!

Send any other files that you think that may be false positives to Clam via their file submission page, which can be accessed at http://www.clamav.net/sendvirus/ on the web. For false positives, be sure to check the false positive block and name the virus in the comment section and tell why you think it is a false positive.